---
title: Gaining access to remote services with Medusa
course: intro_pentest
section: Exploitation
layout: lesson
---

When reviewing the output from step 2, always make special notes of IP addresses
that include some type of remote access service. SSH, Telnet, FTP, PC Anywhere
and VNC are popular choices because gaining access to these services often
results in the complete owning of that target. Upon discovery of one of these
services, hackers typically turn to an “online password cracker”. Online
password crackers work by attempting to brute force their way into a system by
trying an exhaustive list of passwords and/or username combinations.

When using online password crackers, the potential for access can be greatly
increased if you combine this attack with information gathered from step 1.
Specifically you should be sure to include any usernames or passwords you
discovered. The process of online password cracking literally requires the
attacking program to send a username and a password to the target. If either the
username or password is incorrect, the attack program will be presented with an
error message and the log-in will fail. The password cracker will then send the
next username and password combination. This process continues until the program
is either successful in finding a login/password combo or it exhausts all the
guesses. On the whole, even though computers are great at repetitive tasks like
this, the process is rather slow.

You should be aware that some remote access systems employ a password throttling
technique that can limit the number of unsuccessful log-ins you’re allowed. In
these instances either your IP address can be blocked or the username can be
locked out.

There are many tools that can be used for online password cracking. Two of the
most popular tools are Medusa and Hydra. These tools are very similar in nature.
In this course, we’ll focus on using Medusa, but it’s strongly encouraged that
you become familiar with Hydra as well.

Medusa is described as parallel log-in brute forcer that attempts to gain access
to remote authentication services. Medusa is capable of authenticating with
numerous remote services including AFP, FTP, HTTP, IMAP, MS-SQL, MySQL, Net
Ware, NCP, NNTP, PcAnywhere, POP3, REXEC, RLOGIN, SMTP-AUTH, SNMP, SSHv2,
Telnet, VNC, Web Form and more.

To use Medusa, you need several pieces of information including the target IP
address, a username or username list that you’re attempting to log in as, a
password or dictionary file containing multiple passwords to use when logging in
and the name of the service you’re attempting to authenticate with.

One of the requirements listen above is a dictionary list. A password dictionary
is a file that contains a list of potential passwords. These lists are often
referred to as dictionaries because they contain thousands or even millions of
individual words. People often use plain English or some small variation like a
1 for an i or a 5 for an s when they create passwords. Password lists attempt to
collect as many of these words as possible. Some hackers and penetration testers
spend years building password dictionaries that grow to gigabytes in size. A
good dictionary can be extremely useful but often requires a lot of time and
attention to keep clean. Clean dictionaries are streamlined and free of
duplication.

There are plenty of small wordlists that can be downloaded from the Internet and
serve as a good starting point for building your own personal password
dictionary. There are also tools available that will build dictionaries for us.
However, fortunately, BlackArch have already included a few wordlists for us to
use. You can find these dictionaries in the "`/usr/share/dirb/wordlists`"
directory.

Once you have your password dictionary, you need to decide if you’re going to
attempt to log in as a simple user or if you want to supply a list of potential
users. If your reconnaissance efforts were rewarded with a list of usernames,
you may want to start with those. If you were unsuccessful in gathering
usernames and passwords, you may want to focus on the results of the e-mail
addresses you collected with The Harvester. Remember, the first part of an
e-mail address can often be used to generate a working domain username.

Assume that during your penetration test you were unable to find any domain
usernames. However, The Harvester was able to dig up the e-mail address
ben.owned@example.com. When using Medusa, one option is to create a list of
potential usernames based on the e-mail address. These would include ben.owned,
benowned, bowned, ownedb and several other combinations derived from the e-mail
address. After creating a list of 5–10 usernames, it’s possible to feed this
list into Medusa and attempt to brute force my way into the remote
authentication service.

Now that we’ve a target IP address with some remote authentication service
(we’ll assume SSH for this example), a password dictionary and at least one
username, we’re ready to run Medusa. To execute the attack, you’d open a
terminal and issue the following command:

```
medusa -h target_ip -u username -P path_to_password_dictionary -M authentication_service_to_attack
```

Take a moment to examine this command in more detail; you’ll need to customize
the information for your target:

* The first keyword “medusa” is used to start the brute forcing program.
* "`-h`"is used to specify the IP address of the target host.
* The "`-u`" is used to denote a single username that Medusa will use to attempt log-ins
  * If you generated a list of usernames you’d like to attempt to log in with
    each of the usernames on the list, you can issue a capital "`-U`" followed
    by the path to the username file.
* Likewise, the lowercase "`-p`" is used to specify a single password, whereas a
  capital "`-P`" is used to specify an entire list containing multiple
  passwords. The "`-P`" needs to be followed by the actual location or path to
  the dictionary file.
* The "`-M`" switch is used to specify which service we want to attack.

To clarify this attack, let’s continue with the example we set up earlier.
Suppose we’ve been hired to conduct a penetration testing against the company
“example.com”. During our information gathering with MetaGooFil, we uncover the
username of “ownedb” and an IP address of "`172.16.45.129`". After port scanning
the target, we discover that the server is running SSH on port 22. Moving to
step 3, one of the first things to do is to attempt to brute force our way into
the server. After firing up BlackArch and opening a terminal, we issue the
following command:

```
medusa -h 172.16.45.129 -u ownedb -P /usr/share/dirb/wordlists/small.txt -M ssh
```

If you’re having problems getting Medusa (or any of the tools covered in this
course) to run on your version of BlackArch (or any other linux distro), it may
be useful to reinstall the program. You can reinstall Medusa with the following
command:

```
pacman -S medusa
```

If you’re using a debian-based Linux distribution, you can try adding either the
Kali Linux repo or the Backtrack repo.

If Medusa returns a string like "`ACCOUNT FOUND: [ssh]`", it means Medusa
successfully found the password, and at this point you’d be able to remotely log
in as the user.

Depending on the level of engagement and goals defined in your authorization and
agreement form, you may be done with the penetration test at this point.
Congratulations! You just completed your first penetration test and successfully
gained access to a remote system.
